Overall risk rating:

Reported detections:

System  impact:

Information exposure:

Description:

Trend Micro has flagged this spyware as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, it steals not only account credentials but it can also steal money from accounts.

To get a one-glance comprehensive view of the behavior of this spyware, refer to the Threat Diagram shown below.

Spyware Overview

This spyware may be downloaded from remote sites by other malware. It may also be dropped by other malware.

It decrypts the configuration file that hooks to the site, meine.deutsche-bank.de. The said file contains a section for each site. Below is a screenshot of a portion of the decrypted configuration file:

It is also capable of stealing money from accounts. It does this after stealing account credentials from targets. To cover up this scheme, it manipulates the account page to display no changes in the user's account balance. Below is a screenshot of the code in the configuration file used to manipulate the account page:

It then sends the gathered information via HTTP POST to a remote URL.

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct 1, 2009

Revision history: Oct 1, 2009 - Modified malware report